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Abstract. We consider two characterisations of the may and must test- 
ing preorders for a probabilistic extension of the finite 7r-calculus: one 
based on notions of probabilistic weak simulations, and the other on 
a probabilistic extension of a fragment of Milner-Parrow- Walker modal 
logic for the 7r-calculus. We base our notions of simulations on the similar 
concepts used in previous work for probabilistic CSP. However, unlike the 
case with CSP (or other non- value-passing calculi), there are several pos- 
sible definitions of simulation for the probabilistic 7r-calculus, which arise 
from different ways of scoping the name quantification. We show that in 
order to capture the testing preorders, one needs to use the "earliest" 
simulation relation (in analogy to the notion of early (bi)simulation in 
the non-probabilistic case). The key ideas in both characterisations are 
the notion of a "characteristic formula" of a probabilistic process, and 
the notion of a "characteristic test" for a formula. As in an earlier work 
on testing equivalence for the 7r-calculus by Boreale and De Nicola, we 
extend the language of the 7r-calculus with a mismatch operator, without 
which the formulation of a characteristic test will not be possible. 

Keywords: Probabilistic 7r-calculus; Testing semantics; Bisimulation; Modal 
logic 



1 Introduction 

We consider an extension of a finite version (without replication or recursion) 
of the 7r-calculus [15] with a probabilistic choice operator, alongside the non- 
deterministic choice operator of the 7r-calculus. Such an extension has been 
shown to be useful in modelling protocols and their properties, see, e.g., [17, 
2] . The combination of both probabilistic and non-deterministic choice has long 
been a subject of study in process theories, see, e.g., [9,24,21,5]. In this paper, 
we consider a natural notion of preorders for the probabilistic 7r-calculus, based 
on the notion of testing [3, 11]. In this testing theory, one defines a notion of test, 
what it means to apply a test to a process, the outcome of a test, and how the 
outcomes of tests can be compared. In general, the outcome of a test can be any 
non-empty set, endowed with a (partial) order; in the case of the original theory, 
this is simply a two-element lattice, with the top element representing success 
and the bottom element representing failure. In the probabilistic case, the set 



of outcomes is the unit interval [0,1], denoting probabilities of success, with the 
standard mathematical ordering <. In the presence of non-determinism, it is 
natural to consider a set of such probabilities as the result of applying a test 
to a process. Two standard approaches for comparing results of a test are the 
so-called Hoare preorder, written C ffo , and the Smyth preorder, C Sm [10]: 

— 0\ Cff O2 if for every 01 € 0\ there exists o 2 G O2 such that o\ < o 2 . 

— 0\ C Sm O2 if for every 02 G O2 there exists o\ G Oi such that o\ < o 2 . 

Correspondingly, these give rise to two semantic preorders for processes: 

— may-testing: P Q pmav Q iff for every test T, Apply(T, P) Qh Apply(T, Q) 

— must-testing: P Epmust Q iff for every test T, Apply (T, P) ^sm Apply(T, Q), 

where Apply{T, P) refers to the result of applying the test T to process P. 

We derive two characterisations of both may-testing and must-testing: one 
based on a notion of probabilistic weak (failure) simulation [21], and the other 
based on a modal logic obtained by extending Milner-Parrow- Walker (MPW) 
modal logic for the (non- probabilistic) 7r-calculus [16]. 

The probabilistic 7r-calculus that we consider here is a variant of the proba- 
bilistic 7r-calculus considered in [2], but extended with the mismatch operator. 
As has already been observed in the testing semantics for the non-probabilistic 
7r-calculus [1], the omission of mismatch would result in a strictly less discrimi- 
nating test. This is essentially due to the possibility of two kinds of output tran- 
sitions in the 7r-calculus, a bound-output action, which outputs a new name, e.g., 
x(w).0, and a free-output action, e.g., xy.O. Without the mismatch operator, the 
two processes are related via may-testing, because the test cannot distinguish 
between output of a fresh name and output of an arbitrary name (see [1]). 

The technical framework used to prove the main results in this paper is 
based on previous works on probabilistic CSP (pCSP) [7,5], an extension of 
Hoare's CSP [13] with a probabilistic choice operator. This allows us to adapt 
some proofs and results from [7, 5] that are not calculus-specific. The name- 
passing feature of the 7r-calculus, however, gives rise to several difficulties not 
found in the non-name-passing calculi such as pCSP, and it consequently requires 
new techniques to deal with. For instance, there is not a canonical notion of 
(weak) simulation in the 7r-calculus, unlike the case with pCSP. Different variants 
arise from different ways of scoping the name quantification in the simulation 
clause dealing with input transitions, e.g., the "early" vs. the "late" variants 
of (bi) simulation [15]. In the case of weak simulation, one also gets a "delay" 
variant of (bi) simulation [8,18,23]. As we show in Section 4, the right notion 
of simulation is the early variant, as all other weak simulation relations are 
strictly more discriminating than the early one. Another difficulty is in proving 
congruence properties, a prerequisite for the soundness of the (failure) simulation 
preorders. The possibility of performing a 'close' communication in the 7r-calculus 
requires a combination of closure under parallel composition and name restriction 
(see Section 5). We use the so-called "up-to" techniques [19] for non-probabilistic 
calculi to prove these congruences. 
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We show that Q pm ay coincides with a simulation preordcr C s and a preorder 
C £ induced by a modal logic £ extending the MPW logic. Dually, the must- 
testing preorder is shown to coincide with a failure simulation preorder, ^fs, 
and a preordcr Cjr induced by a modal logic T extending C. For technical reasons 
in proving the completeness result of (failure) simulation, we make use of testing 
preorders involving vector-based testing (^p may and E^ nust below). The precise 
relations among these preorders are as follows: 

C Q pma y = Qp may C C £ C C s 
^FS C Q pmust = Qp mus t C Cjr C C FS . 

The proofs of these inclusions are subjects of Section 5, Section 6 and Section 7. 
Let us highlight the characterisations of may-testing preorder. As with the case 
with pCSP [5], the key idea to the proof of the inclusion C £ C C s is to show 
that for each process P, there exists a characteristic formula (pp such that if 
Q \= ipp then P C s Q. The inclusion Q pmay C C £ is proved by showing that 
for each formula ip, there exists a characteristic test T v such that for all process 
P, P \= f iff P passes the test T v with some threshold testing outcome. 



2 Processes and probabilistic distributions 

We consider an extension of the (finite) 7r-calculus with a probabilistic choice op- 
erator, p (B , where p £ (0, 1] . We shall be using the late version of the operational 
semantics, formulated in the reactive style (in the sense of [22]) following previous 
work [7, 5]. The use of the late semantics allows for a straightforward definition 
of characteristic formulas (see Section 6), which are used in the completeness 
proof. So our testing equivalence is essentially a "late" testing equivalence. How- 
ever, as has been shown in [14,1], late and early testing equivalences coincide 
for value-passing/name-passing calculi. 

We assume a countably infinite set of names, ranged over by a, 6, x, y etc. 
Given a name a, its co-name is a. We use fi to denote a name or a co-name. 
Process expressions are generated by the following two-sorted grammar: 

P::=s\ P P ®P 

s ::= | a(x).s | ax.s | [x = y]s \ [x ^ y]s | s + s s\s \ vx.s 

We let P, Q, ... range over process terms defined by this grammar, and s, t range 
over the subset S p comprising only the state-based process terms, i.e. the sub- 
sort s. 

The input prefix a(x) and restriction vx are name-binding contructs; x in 
this case is a bound name. We denote with fn(P) the set of free names in P 
and bn(P) the set of bound names. The set of names in P (free or bound) is 
denoted by n(P). We shall assume that bound names are different from each 
other and different from any free names. Processes are considered equivalent 
modulo renaming of bound names. Processes are ranged over by P,Q,R, etc. We 
shall refer to our probablistic extension of the 7r-calculus as ir p . 
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We shall sometimes use an n-ary version of the binary operators. For example, 
wc use (J) ie/ PiPi, where ~^2 ieI Pi = 1, to denote a process obtained by several 
applications of the probabilistic choice operator. Simiarly, J2iei ^» denotes sev- 
eral applications of the non-deterministic choice operator +. We shall use the 
r-prefix, as in t.P, as an abbreviation of ux(x(y).0 | xx.P), where x, y £ fn(P). 

In this paper, we take the viewpoint that a probabilistic process represents an 
unstable state that may probabilistically evolve into some stable states. Formally, 
we describe unstable states as distributions and stable states as state-based 
processes. Note that in a state-based process, probablistic choice can only appear 
under input/output prefixes. The operational semantics of ir p will be defined only 
for state-based processes. 

Probabilistic distributions are ranged over by A. A discrete probabilistic dis- 
tribution over a set S is a mapping A : S — > [0, 1] with X^ses ^K s ) = 1- The 
support of a distribution A, denoted by \A], is the set {s \ A(s) > 0}. From 
now on, we shall restrict to only probabilistic distributions with finite support, 
and we let V{S) denote the collection of such distributions over S. If s is a 
state-based process, then 8[s] denote the point distribution that maps s to 1. 
For a finite index set I, given pi and distribution Ai, for each i <E I, such 
that J^ieiPi — 1) we define another probability distribution ^2 ieI Pi ■ Ai as 
(JZieiPi ' Ai)(s) — ^ ieI Pi ■ Ai(s), where • here denotes multiplication. We shall 
sometimes write this distribution as a summation p\ ■ A\ +p2 ■ A2 + . . . +p n • A n 
when the index set 7 is {1, ... , n}. 

Probabilistic processes are interpreted as distributions over state-based pro- 
cesses as follows. 

Is] ::= 6[s] for s E S p 
[P P ©Q] ::= P ■ IP] + (1 - P) ■ IQ] 

Note that for each process term P the distribution [P] is finite, that is it has 
finite support. 

A transition judgment can take one of the following forms: 

a(x) T ax a(x) 

s > A s > A s > A s > A 

The action a(x) is called a bound-input action; r is the silent action; ax is a 
free-output action and a(x) is a bound-output action. In actions a(x) and a(x), 
x is a bound name. Given an action a, we denote with fn(a) the set of free 
names in a, i.e., those names in a which are not bound names. The set of bound 
names in a is denoted by bn(a), and the set of all names (free and bound) in a 
is denoted by n(a). The free names of a distribution is the union of free names 
of its support, i.e., fn(A) = lj{/ n ( s ) I s 6 

A substitution is a mapping from names to names; substitutions are ranged 
over by p, a and 9. A substitution is a renaming substitution if 6 is an injective 
map, i.e., 9(x) = 6{y) implies x = y. A substitution is extended to a mapping 
between processes in the standard way, avoiding capture of free variables. We 
use the notation s[y/x] to denote the result of substituting free occurrences of x 
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s ► A n 

Act Sum 



a.P > [P] s + t ► A 

a Ct 

S > A S > A T\ T " J. . / 

Match Mismatch, x / y 



[x = x]s > A [x=£ y]s ► A 

a 

s > A 



Par, bn(a) n fn(t) = 



s | t ► Z\ | <5[t] 

a{x) ay a(w) a(w) 

s > Z\i f > A 2 ^ s > Ai t > A 1 ^ 

Com ~ Close 



s | t ► Ai\y/x] | A 2 s \t > vw.(Ai \ A 2 ) 

a • ^ Z > A 
S Res, x <£ n(a) Open, y x,y f n(vz.s) 

vx.s ► vx.A vz.s y A[y/z] 



Fig. 1. The operational semantics of tt p . 



in s with y. Substitution is lifted to a mapping between distributions as follows: 

A[y/x}(s) = J2{A(s')\s'[y/x] = s}. 

It can be verified that [P[y/x]J = [-P][y/x] for every process P. 

The operational semantics is given in Figure 1. The rules for parallel compo- 
sition and restriction use an obvious notation for distributing an operator over 
distributions, for example: 



(^i I A 2 )(s) 



Ai(si) ■ A 2 (s 2 ) if s = si\s 2 
otherwise 



(vx A)(s) = i ^ S '^ if S = VX ' S ' 
^ ' ' 1 otherwise. 

The symmetric counterparts of Sum, Par, Com and Close arc omitted. The 
semantics of tt p processes is presented in terms of simple probabilistic automata 
[21]. 



3 Testing probabilistic processes 

As standard in testing theories [3, 11, 1], to define a test, we introduce a distin- 
guished name to which can only be used in tests and is not part of the processes 
being tested. A test is just a probabilistic process with possible free occurrences 
of the name u> as channel name in output prefixes, i.e., a test is a process which 
may have subterms of the form Qa.P. Note that the object of the action prefix 
(i.e., the name a) is irrelevant for the purpose of testing. Note also that it makes 
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no differences whether the name lu appears in input prefixes instead of output 
prefixes; the notion of testing preorder will remain the same. Therefore we shall 

often simply write uj.P to denote uja.P, and P > A to denote P > A. The 

definitions of may-testing preorder, ^ pm ay, and must-testing preorder, Q pm ust, 
have already been given in the introduction, but we left out the definition of the 
Apply function. This will be given below. 

Following [7], to define the Apply function, we first define a results-gathering 
function V : S p — s> V([0, 1]) as follows: 

!, , w 

{1} if a ► 

U{V(Z\) I s A} if a A but s 
{0} otherwise. 

Here the notation V([0,1}) stands for the powerset of [0,1], and we use Y(A) 
to denote the set of probabilities {X^ser^l ^( s ) ' P- s I P s e ^( s )l- The Apply 
function is then defined as follows: given a test T and a process P, 

Apply(T,P)=V(lvx.(T \ P)j) 

where {x} is the set of free names in T and P, excluding u. So the process (or 
rather, the distribution) vx.{T \ P) can only perform an observable action on w. 



Vector-based testing. Following [5], we introdude another approach of testing 
called vector-based testing, which will play an important role in Section 7. 

Let J? be a set of fresh success actions different from any normal channel 
names. An Q-test is a 7r p -process, but allowing subterms uj.P for any co 6 Q. 
Applying such a test T to a process P yields a non-empty set of test outcome- 
tuples Apply n (T,P) C [0,l] r2 . For each such tuple, its w-component gives the 
probability of successfully performing action co. 

To define a results-gathering function for vector-based testing, we need some 
auxiliary notations. For any action a define a\ : [0, l] r2 — > [0, \] n by 

a\o(u>) = { 1 if w = a 
[ o(lo) otherwise 

so that if a is a success action in Q then al updates the tuple 1 at that point, 
leaving it unchanged otherwise, and when a ^ fl the function a\ is the identity. 
For any set O C [0, l] n , we write a\0 for the set {a\o \ o G O}. For any set X 
define its convex closure £ X by 

% X := {^Pi ■ Oi | Oi e X for each i e / and J^ieiPi = !}■ 

Here, / is assumed to be a finite index set. Finally, zero vector is given by 
0(w) = for all co e £2. Let Sp 1 be the set of state-based J?-tests. 
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Definition 1. The vector-based results- gathering functionV" : S" — > V([0, l] r2 ) 
is given by 



The notation s — > means that s is not a deadlock state, i. e. there is some a and 

a 

A such that s > A. For any process P and ft-test T , we define Apply (T, P) 

as Y n (lvx.(T\P)]), where {x} — fn(T,P) — H. The vector-based may and must 
preorders are given by 



where C ffo and C Sm are the Hoare and Smyth preorders on V([0, 1] ) generated 
from < index-wise on [0,1]°. 

Notice a subtle difference between the definition of Y n above and the definition 
of V given earlier. In Y n , we use action-based testing, i.e., the actual execution of 
<jj constitutes a success. This is in contrast to the state-based testing in V, where a 
success is defined for a state where a success action u> is possible, without having 
to actually perform the action co. In the case where there is no divergence, as in 
our case, these two notions of testing coincide; see [5] for more details. 

The following theorem can be shown by adapting the proof of Theorem 6.6 
in [5] , which states a general property about probabilistic automata [4] . 

Theorem 1. Let P and Q be any ir p -processes. 

1- P ^=pmay Q iff P ^=pmay Q 
P —pmust Q iff P ^=pmust Q- 

4 Simulation and Failure Simulation 

To define simulation and failure simulation, we need to generalise the transition 
relations between states and distributions to those between distributions and 
distributions. This is defined via a notion of lifting of a relation. 

Definition 2 (Lifting [6]). Given a relation 1Z C S p x T>(S P ), define a lifted 
relation 1Z C V(S P ) x T>(S P ) as the smallest relation that satisfies 

1. slZO implies S[s] 1Z 

2. (Linearity) Ai 1Z Oi for all i £ I implies i^ ieI Pi ■ Ai) 1Z i^Z ieI Pi ■ &i) for 
any p, e [0,1] with ^2 ieI Pi = 1. 

The following is a useful properties of the lifting operation. 

Proposition 1 ([7]). Suppose 1Z C S x T>(S) and J^ieiPi = 1- V (J2ieiPi ' 
Ai) JZ then — J2 ieI Pi-0i for some set of distributions 0i such that Ai JZ 0i 
for all i e /. 




Q: 




otherwise 




Q iff for all (2 -test T : Apply n (T, P) Q Ho Apply n (T, Q) 
Q iff for all Q-test T : Apply" (T, P) \ =Sm Apply" '(T, Q) 
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For simplicity of presentation, the lifted version of the transition relation 

> will be denoted by the same notation as the unlifted version. So we shall 

write A > when A and are related by the lifted relation from > . 

a 

Note that in the lifted transition A > 0, all processes in \A~\ must be able 

to simultaneously make the transition a. For example, 

1 1 ax 1 1 

_ . 5[ax.s] + - ■ 5[ax.t] ► - • S[s] + - ■ S[t] 

but the distribution \ • <5[ax.s] + 1 • S\bx.t] will not be able to make that transition. 
We need a few more relations to define (failure) simulation: 

r r 

— We write s > A to denote either s > A or A = 6[s\. Its lifted version 

T 

will be denoted by the same notation, e.g., A\ > A 2 . The reflexive- 
transitive closure of the latter is denoted by =^=> . 

— A 1 =4> A 2 , for a + r, iff A x =U A' A" =^> A 2 for some A' and 
A". 

a(x) a(x) ax 

— We write s ^ a to denote s >, and s |a to denote either s > or s >: 

r 

s J/ M stands for the negation. We write s Yx when s -f — > and V/i £ I : s 1^, 
and A Yx when Vs G \A~\ : s ]f X - 

Definition 3. A relation 1Z C S p x V{S P ) is said to be a failure simulation if 
slZ0 implies: 

a(x) 

1. If s > A and x £ fn(s, 0), then for every name w, there exists 0\, 2 

and 0' such that 

=^> 0i -^-l 2 , 2 [w/x]^0', and {A[w/x}) H 0'. 

a 

2. If s > A and a is not an input action, then there exists 0' such that 

0=^0' and ATI 0' 

3. If s Yx then there exists 0' such that =^> 0' Yx ■ 

We denote with <fs the largest failure simulation relation. Similarly, we define 
simulation and <s by dropping the third clause above. The simulation preorder 
□ s and failure simulation preorder Qfs on process terms are defined by letting 

P Qs Q iff there is a distribution with \Q\ ==^> and [P] <s O. 
P ^=fs Q iff there is a distribution with \P\ and \Q\ <fs 0. 

Notice the rather unusual clause for input action, where no silent action 
from 02 is permitted after the input transition. This is reminiscent of the notion 
of delay (bi) simulation [8,18,23]. If instead of that clause, we simply require 

^M, 0" and A[w/x] H 0"{w/x] then, in the presence of mismatch, simulation 
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is not sound w.r.t. the may-testing prcorder, even in the non-probabilistic case. 
Consider, for example, the following processes: 

P = a(x).ab Q — a(x).[x ^ c\r.ab 

where we recall that t.R abbreviates vz.{z(u) \ zz.R) for some z £ fn(R). The 
process P can make an input transition, and regardless of the value of the input, 
it can then output b on channel a. Notice that for Q, we have 

a(x) r 

Q > [x ^ c]T.ab > vz(0 \ ab) = Q' . 

Q' can also outputs b on channel a, so under this alternative definition, Q can 
simulate P. But P % pm ay Q, as the test ac.a(y).uj will distinguish them. This 
issue has also appeared in the theory of weak (late) bisimulation for the non- 
probabilistic 7r-calculus; see, e.g., [20]. 

Note that the above definition of <s is what is usually called the "early" 
simulation. One can obtain different variants of "late" simulation using different 
alternations of the universal quantification on names and the existential quan- 
tifications on distributions in clause 1 of Definition 3. Any of these variants leads 
to a strictly more discriminating simulation. To see why, consider the weaker of 
such late variants, i.e., one in which the universal quantifier on to comes after 
the existential quantifier on 6>i: 

a(x) 

If s > A and x $ fn(s, 0), then there exists 0\ such that for every 

name w, there exist 02 and 0' such that 

=U 0i 02, 2 [w/x}=U0', and (A[w/x})K0'. 
Let us denote this variant with Cg# . Consider the following processes: 

P = a(x).bx.O + a(x).0 + a(x).[x = z]bx.O Q = r.a(x).bx.O + T.a(x).0 

It is easy to see that PCsQ but P%s"Q- 

If we drop the silent transitions 02[w/x] =^=> 0' in clause (1) of Definition 3, 
i.e., we let 0' = 2 [w/x} (hence, we get a delay simulation), then again we get 
a strictly stronger relation than C s . Let us refer to this stronger relation as 
\—o. Let P be a(x).(c i®d) and let Q be a(x).r.(c i © d). Here we remove the 
parameters in the input prefixes c and d to simplify presentation. Again, it can 
be shown that P C s Q but P % D Q. For the latter to hold, we would have to 
prove \ ■ S[c] + \ ■ 5[d] <s S[t.(c i© d)], which is impossible. 

Note that (failure) simulation is a relation between processes and distribu- 
tions, rather than between processes, so it is not immediately obvious that it is a 
preorder. This is established in Corollary 1 below, whose proof requires a series 
of lemmas. 

In the following, when we apply a substitution to an action, we assume that 
the substitution affects both the free and the bound names in the action. For 
example, if a = a(x) and 6 = [b/a,y/x] then ad — b(y). However, application of 
a substitution to processes or distributions must still avoid capture. 
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Lemma 1. Suppose a is a renaming substitution. 

a aa 

1. If s > A then scr > Ao. 

2. IfA=£> A' then Aa ^> A'cr. 

a(xi) 

Lemma 2. Let I be a finite index set, and let J2ieiP { = 1- Suppose Si > Ai 

for each i E I. Let x be a fresh name not occuring in any of Si, a{x{) or Ai. 
Then 

. ^ a(x) . ^ 

2_^Pi ■ 5[si\ > 2^p l ■ Ai[x/xi\. 

iel iel 

a{xi) 

Given the above lemma, given transitions Si > Ai, we can always assume 

that, all the the same fresh name, so that when lifting those transitions 

to distributions, we shall omit the explicit renaming of individual Xi. This will 
simplify the presentation of the proofs in the following. The same remark applies 
to bound output transitions. 

Lemma 3. Suppose ^Z i£l Pi = 1 and Ai ==> <Pi for each iel, where I is a 
finite index set. Then 

iel iel 

Proof. Same as in the proof of Lemma 6.6. in [7]. □ 

Lemma 4. For every state-based process s, we have s <s S[s] and s <fs S[s]. 

Proof. Let KCSj,x ~D(S P ) be the relation defined as follows: s 1Z iff — 6[s\. 
It is easy to see that 1Z is a simulation and also a failure simulation. □ 

a 

Lemma 5. Suppose A <s $ and A > A' , where a is either t, a free action 

a 

or a bound output action. Then <L> > <L>' for some such that A 1 <s <P' . 

Proof. Similar to the proof of Lemma 6.7 in [7]. □ 

a(x) 

Lemma 6. Suppose A <ig <P and A > A' . Then for all name w, there exist 

&i, #2 and & such that 

r a(x) ~ 

<P => t^i > ^2, W 2 [w/x] =^ and (A'[w/x\) < s 

Proof. From A <P we have that 

A = ^2 Pi - S[si], Si< s $i, <P = ^2p l -<P i . (1) 

iel iel 

a(x) 

and from A > A' we have: 

A = J2q j .5[t j ], tj^Gj, A> = J2°r6r (2) 
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We assume w.l.o.g. that all and qj are non-zero. Following [7], we define two 
index sets: Ij = {i € I \ Sj = tj} and Ji = {j 6 J tj = Si}. Obviously, we have 



I i e /, j £ J 4 } = {(i,j) \jeJ,ie J 2 }, and 



ieii 



It follows from (4) that we can rewrite as 

* = E E K ' qj 



(3) 
(4) 



a(x) 



Note that Si — tj when j s ii. Since Sj <s <£j, and Si = tj > 0j, we have, 

given any name u>, some <it>}j, <P?j and <£>jj such that: 

^=^<^^><^, 0>/z]%<%. (5) 



Let 



* = E E 

iei j&Ji y 11 



^ ^ Z\( Si ) 



<€/ jeJi 1 l) 



Lemma 3 and (5) above give us: 



a(x) 



i€J j€ Ji 1 iJ 

It remains to show that Z\'[w/x] <s <?■. 



A'[w/x}=J2q j -O j [w/x] 
jeJ 

= E*-E 



j'eJ «e 

E\ ~> Pi ' Qj 
^ Ait*) 



1 i 



Gj[w/x] 



iei jeJ, 



^EE 

iei je.Ji 



A(s 
Pi ■ Qj 



using (4) 
using (3) 

using (5) and linearity of <s 



□ 



Lemma 7. Suppose A < s <P and A =^=> A' , where a is either r, a free action 
or a bound output. Then <P =^> <P' for some <& such that A' <s & '■ 
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Proof. Similar to the proof of Lemma 6.8 in [7]. □ 

Proposition 2. The relation <g is reflexive and transitive. 

Proof. Rcflcxivity of <g follows from Lemma 4. To show transitivity, let us define 
a relation KCS p x TS>(S P ) as follows: s TZ iff there exists A such that s <s A 
and A <s 0. We show that TZ is a simulation. 

But first, we claim that % A <s $ implies & TZ This can be proved 
similarly as in the case of CSP (see the proof of Proposition 6.9 in [7]). 

Now to show that TZ is a simulation, there are two cases to consider. Suppose 
s TZ $, i.e., s <s A< s 

a 

— Suppose s V 0, where a is either r, a free action or a bound output 

action. From s < s A, we have 

A=£*A' and < s A 1 . (6) 

By Lemma 7 and (6), we have <P =^=> <P' and A' <ig , and by the above 
claim and (6),9n&. 

a(x) 

— Suppose s > 0, so we have: for all w, there exist Ai, A 2 , and A' such 

that 

A=UA X ^%A 2 , A 2 [w/x]^A', and G[w/x] < s A'. (7) 
Since A <s by Lemma 7 we have <P <T?i and A\ <s And since 

a(x) 

A\ > A 2 , by Lemma 6, for all w, there exist <P 2 , ^3 and ^4 such that: 

f a(x) ~ 

<Pi =^ <P 2 > <£ 3 , $ 3 [w/x] <£ 4 , A 2 [w/x] < S &4- 

Lemma 7, together with A 2 [w/x] and A 2 [w/x] =^=> A', implies that 

^4 =^> <P 5 and A' < s ^5 for some <P 5 . From 0[w/x] < s A' and A' < s &5, 
we have 0[w/x] TZ ^5. Putting it all together, we have: 

- a(x) - 

<p 2 > <p 3 , <P 3 [w/x] => <P 5 , 0[w/x] TZ <P 5 . 

Thus TZ is indeed a simulation. □ 

Proposition 3. The relation <fs is reflexive and transitive. 

Proof. Reflexivity of <ps follows from Lemma 4. To show transivity, we use a 
similar argument as in the proof of Proposition 2: define TZ such that s TZ iff 
there exists A such that s <ps A and A <ps 0- We show that TZ is a failure 
simulation. 

Suppose s TZ 0. The matching up of transitions between s and is proved 
similarly to the case with simulation, by proving the analog of Lemmas 5-7 
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for failure simulation. It then remains to show that when s 46c then there exists 
0' such that ==> 0' Yx ■ Since s 1Z 0, by the definition of 1Z, we have a A 
s.t. s <fs A and A <fs 0- The former implies that A ==^> A' Yx, for some 
A'. It can be shown that, using arguments similar to the proof of Lemma 7 
that 0' for some 0' such that Z\' <_fs(9'. Suppose \A'~\ = {si}ie/, i.e., 
A' = J^ieiPi ' witn YsieiPi = 1 - Obviously, Sj J6f for each i S L By 
Proposition 1, = ^2 ieI Pi - 0% for some distributions 6>i such that 5[sj] <fs 
The latter implies, by Definition 2, that Sj <fs 0j. Since Sj J/x, it follows that 
©i =U 0[ J6f , for some 0{. Thus =^ (Eie/Pi • ©i) ^ • □ 

Corollary 1. The relations Qs and Qfs are preorders. 

Proof. The fact that Qs is a preorder follows from Lemma 7 and Proposition 2. 
Similar arguments hold for ^_fsj using an analog of Lemma 7 and Proposition 3. 

□ 

5 Soundness of the simulation preorders 

In proving soundness of the simulation preorders with respect to testing pre- 
orders, we first need to prove certain congruence properties, i.e., closure under 
restriction and parallel composition. For this, it is helpful to consider a slightly 
more general definition of simulation, which incorporates another relation. This 
technique, called the up-to technique, has been used in the literature to prove 
congruence properties of various (pre-)order for the 7r-calculus [19]. 

Definition 4 (Up-to rules). LetlZ C S p xV(S p ). Define the relation!!} where 
t G {r, v,p} as the smallest relation which satisfies the closure rule for t, given 
below (where a is a renaming substitution): 

sTZ A s K A v s_i K A l s 2 K A 2 

so- 7l r Aa T (vx.s) Tl v (vx.A) (si | s 2 ) W (A 1 \ A 2 ) 

Definition 5 ((Failure) Simulation up-to). A relation 1Z C S p x T>(S P ) is 
said to be a (failure) simulation up to renaming (likewise, restriction and parallel 
composition) if it satisfies the clauses 1, and 2, (and 3 for failure simulation) 
in Definition 3, but with 1Z in the clauses replaced by lZ r (respectively, 1Z V and 

W). 

It is easy to see that KCK f for any t <G {r, v\ (i.e., via the identity relation 
as renaming substitution in the former, and via the empty restriction in the 
latter). The following lemma is then an easy consequence. 

Lemma 8. IflZisa (failure) simulation then it is a (failure) simulation up-to 
renaming, and also a (failure) simulation up to restriction. 
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Our objective is really to show that simulation up-to parallel composition is 
itself a simulation. This would then entail that (the lifted) simulation is closed 
under parallel composition, from which soundness w.r.t. may-testing follows. We 
prove this indirectly in three stages: 

— simulation up-to renaming is a simulation; 

— simulation up-to restriction is a simulation up-to renaming (hence also a 
simulation by the previous item); 

— and, finally, simulation up-to parallel composition is a simulation up-to re- 
striction. 

5.1 Up to renaming 

Note that as a consequence of Lemma 1 (1), given an injective renaming substi- 

a 

tution a, we have: if sa > A then there exists a and A such that a — aa, 

a 

A' = Aa and s > A. This is proved by simply applying Lemma 1 (1) to 

a' 

sa > A' using the inverse of a. 

In the following, we shall write 1Z U to denote (7£*)*, i.e., the result of applying 
the up-to closure rule t twice to TZ. 

Lemma 9. TZ"' = W . 

Lemma 10. If A\ W A2 then (A\a) W {A^a) for any renaming substitution 
a. 

Proof. This follows from the fact that A\ 7Z r A2 implies Aia 7Z rr A^a and that 
TZ rr =TZ r . □ 

Lemma 11. If TZ is a (failure) simulation up to renaming, then TZ r C <i s (re- 
spectively, W C <fs)- 

Proof. Suppose 1Z is a simulation. It is enough to show that TZ r is a simulation. 

So suppose sW A and s > 0. By the definition of W , s — s a and A = A a 

for some renaming substitution a and some s' and A' such that s' 1Z A'. There 
are several cases to consider depending on the type of a. 

a 

— a is r or a free action: By Lemma 1 (1) we have s' > for some a' and 

0' such that a — a' a and — 0'a. Since TZ is a simulation up to renaming, 

s'TZA' implies that A' =^=> A\ and 0' W A\. The former implies, by 

Lemma 1 (2), that A =^=> A2 for some A2 such that A2 = A\a, while the 
latter implies, by Lemma 10, that = (0'a) lZ r [A\a) = A2. 

— a = a(x) for some a and x: In this case, x ^ fn(s,A), so we can assume, 
without loss of generality, that x does not occur in a. Using a similar argu- 

b(x) 

mcnt as in the previous case, we have that s' > 0' for some b and 0' such 
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that a(b) = a and = O'a. Since TZ is a simulation up to renaming, s'lZA' 
implies that for every name w, there exist A x w , A 2 W and A w such that: 

A'^Al^Al, A 2 w [w/x]^A w , and (8) 

0'[w/x] W A w . (9) 

Let <Pi = A x w a, <P 2 = A 2 w a and <P = A w a. From (8) and Lemma 1 (2) we 
get: 

A = A'a^ Ala = $ x ^-U A 2 w a = $ 2 . 
By (8), the freshness assumption of x w.r.t. a, and Lemma 1 (2), we get 

<P 2 [w/x] = A 2 w <j[w/x] = A 2 W [w/x]a =^> A w a = 
Finally, by (9) and Lemma 10, 0[w/x] = O'o[w/x] = 0'[w/x]a W A w a = 

— a = a(x): This case can be proved similarly to the previous cases. 

For the case where TZ is a failure simulation, we additionally need to show that 
whenever s W A and s we have A Yx for some 0. Since slZA, 
we have s — s'a and A = A' a for some s', A and renaming substitution a. Let 
X' = Xa^ 1 , i.e., X' is the inverse image of X under a. Then we have that s' Yx>, 
and A' 0' J/x' • Applying c -1 to the latter, we obtain A =4> Yx ■ □ 

Lemma 12. Suppose P C s Q (P \Z FS Q) and a is a renaming substitution. 
Then Pa Cg Qa (respectively, Pa C FS Qa). 

Proof. Immediate from Lemma 11. □ 
5.2 Up to name restriction 

The following lemma says that transitions are closed under name restriction, if 
certain conditions are satisfied. 

Lemma 13. 1. For every state-based process s, every action a and every list 

a a 

of names x such that {x} fl n(a) = 0, s > A implies vx.s > vx.A. 

2. For every A and <P, every action a and every list of names x such that 

a a 

{x} fl n(a) — 7 A > <P implies vx.A > vx.<S>. 

db _^ 

3. Suppose s > A and suppose x and y are names such that {x, y} fl {a, b} = 

a(b) 

0. Then vxvbvy.s > vxvy.A. 

Lemma 14. If AW then {vx.A) W (vx.0) 

Lemma 15. If TZ is a (failure) simulation up to restriction, then TZ V C <i s 
(respectively, TZ V C Aps)- 
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Proof. Suppose TZ is a simulation up to restriction. We show that TZ V is a simu- 
lation up to renaming, hence by Lemma 11 we have TZ" C lZ vr C < s . 

a 

Suppose s 72." .4 and s > 0. By the definition of TZ V , we have that s = 

vx.s', A = vx.A' , and s'[y/x] 7?. Z\'[y/x] for some y such that {2/}n/n(s, A) = 0. 

a 

There are several cases depending on how the transition s > is derived. 

Note that there may be implicit a-renaming involved in the derivations of a 
transition judgment. We assume that the names x are chosen such that no a- 

a 

renaming is needed in deriving the transition relation vx.s' > 0, e.g., one 

such choice would be one that avoids clashes with the free names in y, s, and A. 

— a is either r or a free action. In this case, the transition must have been 
derived as follows: 

s'^0' 
^^^^=^^^^= res 

-» a -* 
vx.s > vx.0 

where = vx.0' and n(a) n {x} = 0. Here a double-line in the inference 
rule indicates zero or more applications of the rule. An inspection on the op- 
erational semantics will reveal that in this case, n(a) C fn(s) and fn(0) C 
fn(s). So in particular, {y} (1 n(a) — 0. We thus can apply the renaming 

a 

substitution [y/x,x/y\ to get s'[y/x] > 0'[y/x\. Since s'[y/x] TZ A'[y/x], 

we have that A'[y/x] =^ A"[y/x] and 0'[y/x] W A"[y/x\. The former 
implies, via Lemma 13 (1), that vx.A' ==> vx.A" and the latter implies, 
via Lemma 14, that (vx.0') TZF [vx.A"). Since TZ V C (TZ u ) r , we also have 
(vx.0') TZF (vx.A"). 

— a = a(z): With a similar argument as in the previous case, we can show that 

a(z) 

in this case we must have s > 0' where = vx.0' . We need to show that 

for every name w, there exist J^, r 2 and r w such that A =>■ J 1 ^, > r 2 , 

r 2 [w/z] =U r w , and 0[w/z] TZ^ F w . 

Note that z {x}, but it may be the case that z £ {y}. So we first apply 
a renaming [u/z,z/u,y/x,x/y\, for some fresh name u, to the transition 

a(z) 

s' > 0' to get: 

s'[y/x] > 0'[u/z 7 y/x}. 

Since s'[y/x\ TZ A'{y/x\, we have, for every name w, some A^, A 2 W and A w 
such that 

A'[y/x\ =U Ai ^% A 2 W , A 2 w [w/u]^A w , and (10) 

0'[u/z,y/x][w/u} = 0'[w/z,y/x\ TZF A w [w/u]. (11) 

Let <Pl v , <!> 2 W and <P W be distributions such that A x w = $\\y/x\, A 2 W = 
® 2 w [u/z,y/x], and A w =<P w [y/x]. So in particular, A 2 w [w/u] = $ 2 w [w / z,y/x\ 
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and A w [w/u] = <P w [w/z,y/x]. Then (10) can be rewritten as: 

A' [y/x] $1 [y/x] ^ $ 2 W [u/z, y/x] <2> 2 [w/z, y/x] =^ $ w [y/x] , 

(12) 

and (11) can be rewritten as: 

0'[w/z,y/x] W $ w [w/z,y/x]. (13) 

Now, to define i^, r 2 and r w , we need to consider two cases, based on the 
value of w. The reason is that in the construction of r w we need to bound 
the free names in <P W , so if z is substituted with a name in y, it could get 
captured. 

• w g" {x, y}. In this case, define: 

= vx.$ x w , r 2 = vx.<p 2 w , r w = vx.$ w . 

By Lemma 13 (1) and (12), we have: 

vx.A' ^ri^rl, rl [w/z] =^ r w 

and by Lemma 14 and (13), we have 

{0[w/z\) = (vx.G')[w/z\ W r w , 

hence also, (0[w/z}) = (vx.O')[w/z\ r w . 

• w G {x, y}. Let v be a new name (distinct from all other names consid- 
ered so far). From the previous case, we know how to construct r„, -T 2 
and r v such that 

vx.A' =U rj ^ r 2 , =L> r„ (©[«/*]) ^ r„. 

(14) 

In this case, let = r„\ T 2 = T 2 and r„ = r„ [«;/?;]. (Note that 
because subsitution is capture-avoiding, the bound names in r v will be 
renamed via a-conversion). Then by Lemma 1 (2) and Lemma 10 and 
(14): 

vx.A' =Ur^^it, r 2 [ w /z] =U r w {0[w/z\) r w . 

If a is a bound output action, i.e., a = a(b) for some a and b. There are 
two subcases to consider, depending on whether b G {x} (i.e., one of the 
restriction names x is extruded) or not. The latter can be proved similarly to 
the previous case. We show here a proof of the former case. So suppose b e x, 
i.e., vx = vx\vbvxi and suppose that [y/x] maps b to c, i.e., vy = vy\vcvy2- 
Suppose the transition relation is derived as follows: 

ab 



= res 



ab 

VX2-S > VX2-0' 

open 

a(b) 

vbvX2-S > VX2-0 

= res 

"(b) 

vx\vbvx2-s' > vx\vx2-©' 
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Applying the renaming [y/x, x/y\ we have: s[y/x\ > 0'[y/x\. Since s'[y/x] 1Z A'[y/x\, 

we have that 

A'[y/x\=^$, and 0'[y/x}W <P. (15) 
Let ^[y/x] = <P. Lemma 13 (3) and (15) imply that 

vx.A' — vyivcy2-A'[y/x] vy\vy2$\y j x\ — vx\X2 .\P[c/b] 
and by an application of a renaming (Lemma 1 (1)) we get 

VX.A =^> VX\VX 2 .W. 

Lemma 14 and (15) imply 

(vxivx 2 .0'[c/b\) W [vxivx 2 .^[c/b]) 

hence, via the renaming [c/b, b/c], (vx\vx 2 .0') 1Z VT {yx\vx 2 SIr). 

If 1Z is a failure simulation up to restriction, we need to additionally show that 
1Z U satisfies clause 3 of Definition 3. Suppose s TZ V 0. Then s = vx.s' and 
= vx.0' for some x, s' and 0' such that s' 1Z 0' . Suppose s Yx ■ We need to 
show that A such that A Yx for some A. Since name restriction hides 
visible actions, it can be shown that s' Yx\{x} iff vx.s' 46c • So from s' 1Z 0' we 

have that 0' =^4> A' Yx\{S) ■ Let A = vx.A'. Then by Lemma 13 (2), we have 
= vx.0' =^ vx.A' = AYx- □ 

Lemma 16. // P Q (P C FS Q) then (vx.P) Qs (vx.Q) (respectively, 
(vx.P) Q FS (vx.Q)). 

Proof. This is a simple corollary of Lemma 8 and Lemma 15. □ 
5.3 Up to parallel composition 

The following lemma will be useful in proving the closure of simulation under 
parallel composition. It is independent of the underlying calculus, and is origi- 
nally proved in [7] . 

Lemma 17. 1. ;V ,/;,•'/',:■ | (J2keK ^-A k ) = Ej G j Efcexfer^M^j I A k ). 
2. Suppose 1Z, 1Z' C S p x T>(S P ) are two relations such that sIZ' A whenever 
s = s\ | s 2 and A = A\ \ A 2 with s\lZAi and S2TZA 2 . Then <fr\TZA\ and 
$ 2 TZA 2 imply (<?>i | <^ 2 yRj(A Y \ A 2 ). 

We also need a slightly more general substitution lemma for transitions than 
the one given in Lemma 1 (1). In the following, we denote with n(6) the set of 
all names appearing in the domain and range of 9. 

Lemma 18. For any substitution a, the followiny hold: 



18 



1. If s > A and bn(a) fl n(a) = then sa > Aa. 

2. If A =^ <P and bn(a) n n(a) = then Aa =^> <Pa. 

The following lemma shows that transitions are closed under parallel com- 
position, under suitable conditions. 

Lemma 19. 1. If s — % A and fn(s') n bn(a) = then s | s' — —> A \ S[s'] 
and s' | s — % S[s'] \ A. 

2. If < P ==>■ A, where a is either r , a free action or a bound output, and 
fn{&) n bn(a) = then $ \ & =^4> A \ & and & \ $ =^> & \ A. 

a{y) aw r 

3. If$ > & and A > A' then <P \ A > <P'{w/y] \ A'. 

a (y) ^(y) t 

4. If$ > & and A > A' then <P \ A > vy.{$' \ A'). 

Lemma 20. If "R is a simulation, then TZ P C < s . 

Proof. We show that 1Z P is a simulation up to restriction, and therefore, by 
Lemma 15, it is included in <s- 

So suppose s W A and s > 0. By definition, we have s = s\ \ s 2 and 

A = A 1 \A 2 such that si TZ A x and s 2 TZ A 2 . 

There are several cases to consider depending on the type of a: 

— a is a free output action. There can be two ways in which the transition 

a 

s > is derived. We show here one case; the other case is symmetric. So 

suppose the transition is derived as follows: 

a 

Si ► 0' 



- par 

si | s 2 — 0' | 6[s 2 ] 
where = 0' \ 5[s 2 ]. Since si TZ A\, we have 

A, =U A[ 

and 0' TZ A[. The former implies, via Lemma 19 (2), that A\ \ A 2 

A\ | A 2 . Since s 2 TZ A 2 by assumption, and therefore S[s 2 ] TZ A 2 , by 

Lemma 17 (2) we have 

= (0' | S[s 2 }) W (A[ | A 2 ) 

and therefore, also 

= {9'\ 5[s 2 \) TZF 7 (A[ | A 2 ). 

a = a(y) and y fn(s, A). That is, in this case, the transition is derived as 
follows: 

a (y) 

si > 0' 

par 

a (v) 

si | s 2 > 0' | S[s 2 ] 
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and y fn(s 2 ). (There is another symmetric case which we omit here.) Since 
s\ 1Z A\, we have, for every name w, some A^, A 2 W and A w such that: 



A 1 ^A 1 W ^A 2 W , A 2 w [w/y]^A w , and 



(16) 



0'{w/y\ U A w . (17) 

From (16) above and Lemma 19 (2), and the assumption that y £ fn(s, A), 
we have 

A, | A 2 ^Al\A 2 >A 2 W \ A 2 , A 2 w [w/y] \A 2 ^A W \ A 2 . 

Since s 2 1Z A 2 , and therefore 5[s 2 ] 1Z A 2 , it then follows from (17) and 
Lemma 17 (2) that 

G[w/y] = (9'[w/y] \ 5[s 2 }) W (A w \ A 2 ) 

and therefore 

0[w/y] = (e'[w/y] | 5[s 2 \) (A w \ A 2 ). 

a = a(y) and y $ fn(s, A). This case is similar to the previous cases, except 
that we only need to consider an instantiation of y with a fresh name. This 
is left as an exercise for the reader. 

r 

a = t and the transition s > is derived via a Com-rule. We show here 

one case; the other case can be dealt with symmetrically. So suppose the 
transition is derived as follows: 

a(y) aw 

si > 6»i s 2 > 2 

com 



si | s 2 > 0i[w/y] | 6*2 

Without loss of generality, we can assume that y £ fn(s, A). Since s\ 1Z A\ 
and s 2 1Z A 2 , we have: 
• For every name w, there are A\, A 2 and Af such that 

A 1 ^A 1 ^A 2 , A 2 [w/y}^A 1 f and (18) 



1 [w/y]KA™ (19) 



There exists A f 2 such that 



aw 



A 2 =^> <Z>i ► <P 2 =^> A' 2 and (20) 

6> 2 n A 2 (21) 
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From (18), (20), and Lemma 19 (2)-(3), we have: 

A^\A 2 =U A 1 | *! ^[^/y] | <Z> 2 =^ Zi- | A' 2 , 
and Lemma 17 (2), together with (19) and (21), implies 

(0i Ky] I 2 )^(^ I £2) 

and therefore 

(0i [w/y] I 2 )W*(A? I Z\ 2 ). 

r 

— a = t and the transition s > is derived via the Close-rule: 

a(y) a(v) 
.Si > 01 S 2 > 02 , 

close. 

Si I s 2 > vy.{Q\ I 2 ) 

Again, we only show one of the two symmetric cases. Without loss of gener- 
ality, assume that y is chosen to be fresh w.r.t. s and A. Since si 1ZA\ and 
S2 TZA2, we have: 

• For every name w, there are A\, A2 and Z\™ such that 

A 1 =U>A 1 ^*A 2 , A 2 [w/y]=UA™ and Q x [w/y] H Af. 
Note that letting w = y, we have 

Z\i =^ yli yl 2 , yl 2 =^=> 4f and (22) 

01 U A\ (23) 

• There exist <P\ , $2 and A' 2 such that 

a (y) + 

Z\ 2 =^ <^>i > <£ 2 =^ Z\ 2 and (24) 

2 H A' 2 (25) 
Then, by (22), (24), Lemma 19 (2) and (4), and Lemma 13 (1), we have: 

A 1 I A 2 =U A 1 I ^.(yl 2 I #2) =^ i/p.^d? I Z\ 2 ). 

Lemma 17 (2), together with (23) and (25), implies 

(0i I 2 ) W (A\ I A' 2 ), 

which also means: 

(0i I 2 ) {A\ I A' 2 ). 
Now by Lemma 14, the latter implies that 

^•(0i I 2 ) W*vy.(A\ I A' 2 ). 
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□ 

Lemma 21. If TZ is a failure simulation, then TZ P C <p$. 

Proof. Suppose sW A and s J/x- By definition, we have s = si \ S2 and A = 
Ai | A 2 such that si TZ A\ and s 2 TZ A 2 . Then we have Sj 46r for i = 1, 2. Define 
a set A as follows: 

A = {a, a | a G fn{s\,s 2 , Ai, A 2 )} U X. 

That is, ^4 contains the set of free (co-)names in Sj and Z\j and X. Let Xi be the 
largest set such that I C I, C A and Sj Yx t ■ Since 7£ is a failure simulation, it 
follows that there exist A\ such that Ai A\ J6c i . By Lemma 19 (2), we have 
A\ | A 2 zV x | Z\' 2 . We claim that (A[ \ A' 2 ) Yx ■ Suppose otherwise, that is, 
there exist t\ G \A' 1 \ and t 2 G \A' 2 \ such that either (t\ \ t 2 ) J,^, for some fi € X, 

T 

or (£i | t 2 ) If (ti | £2) 4p tnen our operational semantics entails that either 

t\ or t 2 which contradicts the fact that A\ 46q ■ So let's assume that 

r 

(ti I t 2 ) > . Again, from the assumption A\ we can immediately rule out 

T 

the cases where ti > or ti 4- M , for some \x G X. This leaves us only with the 

MP 

cases where t\ > and t 2 > where [i X and fi ^ X. But since 46q ; this 

can only be the case if \i g' X\ and p, ^ X 2 . From the operational semantics, it 
is easy to see that fn(A' 1 ,A' 2 ) C fn{A\, A 2 ), so it must be the case that \i e A 
and fjeA.lt also must be the case that s\ J.^, for otherwise, it would contradict 
the "largest" property of X\. Similarly, we can argue that s 2 L^. But then this 

T 

would imply that (si | s 2 ) contradicting the fact that (si | s 2 ) Yx ■ 

The matching up of transitions and the using of TZ to prove the preservation 
property of <ps under parallel composition are similar to those in the corre- 
sponding proof in Lemma 20 for simulations, so we omit them. □ 

Lemma 22. 1. If P 1 C s Qi and P 2 C s Q 2 then P x \ P 2 C s Qi I Qi- 
2. If Pi Cfs Qi and P 2 C FS Q 2 then P x \ P 2 C FS Q 1 \ Q 2 . 

Proof. It is enough to show that (<s) p C <s and (<fs) p Q <fs, which follow 
directly from Lemmas 20 and 21 respectively. □ 



5.4 Soundness 

We now proceed to proving the main result, which is that P Q implies 
P Qpmay Q, and P ^fs Q implies P Q pmus t Q- The structure of the proof 
follows closely that of [5]. Most of the intermediate lemmas in this section are 
not specific to the 7r-calculus; rather, they utilise the underlying probabilistic 
automata semantics. 

a 

Let 7r" be the set of all n processes that may use action to. We write s y u A 

-j Ok f 

if cither a = lu or a 7^ oj but both s /— >• and s > A hold. We define > w 

T T T 

as we did for using > UJ in place of Similarly, we define => w and 

=3-u>- Simulation and failure simulation are adapted to tt" as follows. 
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Definition 6. Let < FS C 7r w x X>(7T W ) &e ifte largest relation such that s <\ e FS 
implies 

a(x) 

— If s > u) A and x fn(s, 0), then for every name w, there exists 0\, 02 

and 0' such that 

=J=> W 1 6> 2 , 2 [w/x] 0', and (A[w/x}) H 0' . 

a 

— if s > ld A and a is not an input action, then there is some with 

JU U 0' and A 4^0' 

— if s Yx with uj G X then there is some 0' with 0' and 0' Yx ■ 

Similarly we can define <g by dropping the third clause. Let P Q FS Q if [P] ==3- u 

for some with [Ql < e FS 0. Similarly, P C| Q if [Q] for some 

with [P] <| 0. 

Note that for 7r-processes P, Q, there is no action ui, therefore we have P Efs <9 
iff P Q e FS Q, and P C s Q iff P Q%, Q. 

Lemma 23. Let P, Q be processes in it and T be a process in 7r". 

1- IfPQsQ then T \ P \Z e s T \ Q. 

2- IfP C FS Q then T | P Q FS T \ Q. 

Proof. Similar to the proof of Lemma 22. □ 

Lemma 24. 1. P Epmaj/ Q if and only if for every test T we have 

max{Y{\vx.{T | P)])) < max{Y{\vx.{T \ Q)\)) 

where x contain the free names of T , P and Q, excluding to. 
2. P ^pmust Q if and only if for every test T we have 

min{Y{\vx.{T | P)])) < min{Y{{vx.{T \ Q)\)) 

where x contain the free names of T , P and Q, excluding uj. 

Proof. The results follow from the simple fact that, for non-empty finite outcome 
sets Oi, O2, 

— Oi ^Ho O2 iff max{0\) < max{02) 

— 0\ Cs m O2 iff min{0\) < min{02) 

which is established as Proposition 2.1 in [7]. □ 

Lemma 25. A\ =^=> A 2 implies max(Y(Ai)) > max(Y(A2)) andmin(Y(Ai)) < 
min(V(A 2 )). 
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Proof. Similar properties are proven in [7, Lemma 6.15] using a function maxlive 
instead of max o V. Essentially the same arguments apply here. □ 

Proposition 4. 1. A x <| A 2 implies max(V(Ai)) < max(V(A 2 )). 
2. A-i <f^ A 2 implies min(Y(A 1 )) > min(V(A 2 )). 

Proof. The first clause is proven in [7, Proposition 6.16] using a function maxlive 
instead of max o V. The second clause is proven in [5, Proposition 4.10] □ 

Theorem 2. 1. P Q implies P ^ pma y Q 
2. P Cfs Q implies P C pmust Q. 

Proof. We prove the second statement; similar is the first one. Suppose P Qfs Q- 
Given Proposition 24, it is sufficient to show that for every test T, 

miniy{\vx{T \ P)\)) < min{N{\vx{T | Q)])) 

where x contain the free names of T, P and Q, but excluding u>. Since ^fs is 
preserved by parallel composition (cf. Lemma 23) and name restriction, we have 
that 

vx(T | P) Q e FS vx(T | Q), 

which means there is a such that \vx{T \ P)\ and \ux{T \ Q)\ <f FS 0. 
The result then follows from Proposition 4 and Lemma 25. □ 

6 A modal logic for tv p 

We consider a modal logic based on a fragment of Milner-Parrow- Walker's (MPW) 
modal logic for the (non-probabilistic) 7r-calculus [16], but extended with a prob- 
abilistic disjunction operator ©, similar to that used in [5]. The language of 
formulas is given by the following grammar: 

ip::=T | ref(X) | (a(x))ip | (ax)ip | (a{x))ip | tp\ A (p 2 \ ipi p ®tp 2 

The x's in (a(x)}<p and {a(x))<p are binders, whose scope is over ip. The diamond 
operator (a(x)) is called a bound input modal operator, (ax) a free output modal 
operator and (a(x)) a bound output modal operator. Instead of binary conjunc- 
tion and probabilistic disjunction, we sometimes write f\ ieI <fi and ip\ p © (p 2 for 
finite index set /; they can be expressed by nested use of their binary forms. 
We refer to this modal logic as T. Let C be the sub-logic of T by skipping the 
ref (X) clause. The semantics of each operator is defined as follows. 

Definition 7. The satisfaction relation |= between a distribution and a modal 
formula is defined inductively as follows: 

— A \= T always. 

- A \= ref(X) iff there is a A' with A =^ A' and A' y X - 
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— A |= (a(x))ip iff for all z there are A\, A 2 , A' and w such that A ==4> 

a(w) - 

Ai > A 2 , A 2 [z/w] => A' and A' (= ip[z/x]. 

— A \= {ax)p> iff for some A' , A =^> A' and A' |= tp. 

— A \= (a(x))ip iff for some A 1 andw £ fn{p>,A), A =^ A' and A' |= ^?[to/a:]. 

— Z\ |= (^1 A p> 2 iff A \= tpi and A \= ip 2 . 

— A \= fi p S)f2 iff there are A\,A 2 € T){S P ) with A\ \= p>\ and A 2 \= p> 2 , 
such that A ==> p ■ A x + (1 - p) ■ A 2 . 

We write A Qc just when A \= tp implies \= tp for all tp G L, and A Cjr 
just when \= p implies A \= ip for all <p e T . We write P \Z C Q when 
IP] C £ IQl and PQ?Q when [P] [Qj. 

Following [5], in order to show soundness of the logical preorders w.r.t. the 
simulation pre-orders, wc need to define a notion of characteristic formulas. 

Definition 8 (Characteristic formula). The ^-characteristic formulas p s 
and pa of respectively, a state-based process s and a distribution A are defined 
inductively as follows: 

p s := M(a)ip A I s A} A ref({/i | s ^}) if s 

a r 

p s := /\{(a)p>A I s > A, a ^ t} A /\{pa \ s > A} otherwise. 

where Q) is a generalised probabilistic choice as in Section 2. The /^-characteristic 
formulas ip s and ipA are defined likewise, but omitting the conjuncts ref ({^ | s ^ 
})• 

Note that because we use the late semantics (cf. Figure 1), the conjunction in 
p> s is finite even though there can be infinitely many (input) transitions from s. 

Given a state based process s, we define its size, \s\, as the number of process 
constructors and names in s. The following lemma is straightforward from the 
definition of the operational semantics of tt p . 

a 

Lemma 26. If s > A then \s\ > \t\ for every t 6 \A\. 

Lemma 27. For every A e V(S P ), A \= <p>A, as well as A \= tpA- 

Proof. It is enough to show that s \= ip s . This is proved by by induction on \s\. 

r 

So suppose s -f — >. Then we have 
p s = ref({^ I s^})A 

/\{{a(x))<p A I s ^% A} A l\{ip A I s A}A 

ax a(x) 

/\{{ax)ip A I s ► A} A /\{(a(x))(pA \ s > A}. 

where ip A = ® se ^A] A(s).ip s . For each of the conjunct <p, we prove that S[s] (= (p. 
We show here two cases; the other cases are similar. 
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— (f> = ref(X), where X = {/j, \ s J/^}. For each /jeXwe have s Moreover, 

r 

since s -f — >, we see that s Yx- 

a(x) 

— (f)— (a(x))tfA- So suppose s > A and \A] = {si \ i e 1} and A = 

J2ieiPi ' $[ s i\- Since \si\ < \s\, by the induction hypothesis, for every name 
w, we have 

5[si[w/a;]] |= ip Si [w/x] 

and therefore: 

A[w/x] =^2pt- 5[si[w/x}} h ' f Si [w/x] = <Pa[w/x\. 

iei iei 

Let <Pi = <P 2 = S[s]. Obviously we have, for every w, 

~ a(x) 

@i => @2 > A, A[w/x] \= ip A [w/x]. 

So by Definition 7, S[s] |= <f). 

a 

Lemma 28. For any processes P and Q, [P] |= </3[qj implies P \— FS Q, and 
likewise {QJ \= ^[p] implies P C5 Q. 

Proof. Let 1Z be the relation defined as follows: s 1Z iff \= ip s . Wc first prove 
the following claim: 

\= ifA implies there exists 0' such that 0' and A 1Z 0' . (26) 

To prove this claim (following [5]), suppose that |= A. By definition, ifA = 
© iei Pi ' Vsi an d A — ^ZieiPi ' 3[ s i\- F° r every i £ J, we have 0i € T^(S p ) with 
0i \= ip Si such that =!=> 0' with 0' = J2iei Pi'@i- Since Si 1Z 0i for all i e I, 
we have A K 0'. 

We now proceed to show that 1Z is a failure simulation, hence proving the 
first statement of the lemma. So suppose s 1Z 0. 

T 

1. Suppose s > A. By the definition of 1Z, we have |= tp s . By Definition 8, 

we also have \= pa- By (26) above, there exists 0' such that ==> 0' 
and A K 0' ._ 

2. Suppose s > A. Then by Definition 8, \= (ax)tpA- So 0' and 

0' |= if a, for some 0' . By (26), there exists 0" such that 0' =^=> 0" and 
A TZ 0". This means that =^> 6>" and ATZ0". 

a(x) 

3. Suppose s >■ A for some x ^ fn(s,0). By Definition 8, \= (a(x))(p A - 

This means for every name z, there exists 0\, 0\ and <9 Z such that =^=>- 

0i 0% 2 z [z/x] Z and Z \= ip A [z/x] 3 Then by (26) we have 

Strictly speaking, we should also consider the case where & z > & z , but it is easy 

to see that since x £ fn(s, 0) we can always apply a renaming to rename w to x. 
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Z =^=> 0' z and A[z/x] 1Z 0' z . So we indeed have, for every name z, 0\, 0\ 
and 0' z such that 

e^ol^%el o 2 z [z/x\=Ue' z and A[z/x\ne' z . 

a(x) 

4. Suppose s > A. This case is similar to the previous one, except that we 

need only to consider one instance of x with a fresh name. 

5. Suppose s J/x for a set of channel names X. By Definition 8, we have \= 

ref(X). Hence, there is some 0' with =^=> 0' and 0' Yx- 

To establish the second statement, define 1Z by slZ0 iff |= tjj s . Just as 
above it can be shown that 1Z is a simulation. Then the second statement of the 
lemma easily follows. □ 

Theorem 3. 1. If P^cQ then P C s Q- 
2. IfP^jrQ then P \Z FS Q. 

Proof. Suppose P Qc Q. By Lemma 27, we have [P] |= tpfpj, hence [Q] |= ^[pj- 
Then by Lemma 28, we have P C s Q. 

For the second statement, assume P Efs Q, we have [Q] ^= <p[Qj and hence 
[P] h V[Q], and thus P C_fs Q. □ 



7 Completeness of the simulation preorders 

In the following, we assume a function new that takes as an argument a finite 
set of names and outputs a fresh name, i.e., if new(N) = x then x £ N. If N = 
{xi, . . . ,x n }, we write [x ^ N]P to abbreviate [x ^ x{\[x ^ x 2 ] • • • [x ^ x n ]P. 

For convenience of presentation, we write Co for the vector in [0, l] 17 defined 
by lj(uj) = 1 and cJ(cj') = for any u' ^ co. We also extend the Apply n 
function to allow applying a test to a distribution, defined as Apply n (T,A) = 
V(i/5([T] | Z\)) where f = /n(T, Z\) - Q. 

Lemma 29. If A \= ip then Ao |= tpa for any renaming substitution a. 

In the following, given a name a, we write a.P to denote a(y).P for some 
y fn(P). Similarly, we write a.P to denote aa.P. Recall that the size of a 
state-based process, \s\, is the number of symbols in s. The size of a distribution 
A, written \A\, is the multiset {\s\ \ s e f^l}- There is a well-founded ordering 
on \A\, i.e., the multiset (of natural numbers) ordering, which we shall denote 
with -<!. 

Lemma 30. Let P be a process and T, Ti be tests. 

1. o e Apply n (cu, P) iff o = lj. 

2. Let X = {/zi, /j, n } and T — ui.uj + ... + u n .ui. Then G Apply n (T ', P) iff 
\P\ =^ A for some A with A y X - 
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3. Suppose the action uj does not occur in the test T. Then o G Apply (uj + 

a(x).([x = v]t.T + oj),P) with o(uj) = iff there is A such that [P] =^> A 
and o G Apply (T[y/x\, A). 
4- Suppose the action u does not occur in the test T and fn(P) C N. Then 
o G Apply (w + a(x).([x ^ N]t.T + lu),P) with o(lu) = iff there is A such 

that [P] MEl- A and o G Apply (T[y fx], A). 

5. Suppose the action uj does not occur in the test T. Then o G Apply (oj + 

ax.T, P) with o(uj) = iff there are A, A\ and A 2 such that [P] 

a(y) - 

A 1 > A 2 , A 2 [x/y] =^ A and o G Apply (T, A). 

6. o G Apply (0 ieJ Pi- Ti,P) iff o = J2 ie i Pi ■ °i for some Oi e Apply (Ti,P) 
for all i € I. 

7. o G Apply (J2 1&i t.T u P) if for all i € I there are qi G [0, 1] and Ai such 

that J^ieiH = 1 > l P l = 4> ^2ieiH ' A i and ° = Z)» e j 9» ' °» / or some 
o 4 G Apply {T u A t ). 

Proof. The proofs of items 1 and 2 are similar to the proofs of Lemma 6.7(1) and 
6.7(2) in [5] for pCSP; items 6 and 7 correspond to Lemma 6.7(4) and Lemma 
6.7(5) in [5], respectively. Items 3, 4 and 5 have a counterpart in Lemma 6.7(3) 
of [5], but they are quite different, due to the name-passing feature of the 7r- 
calculus, and the possibility of checking the identity of the input value via the 
match and the mismatch operators. We show here a proof of item 3; the proofs 
of items 4 and 5 are similar. 

We first generalize item 3 to distributions: given uj and T as above, we have, 
for every distribution 0, 

o G Apply (u + a(x).([x = y]r.T + u),Q) with o(uj) = iff there is A 

such that O A and o G Apply (T[y/x], A). 

The 'if part is straightforward from Definition 1. We show the 'only if part 
here. The proof will make use of the following claim (easily proved by induction 
on|0|): 

Claim: o G Apply°([y = y]r.T[y/x] + uj, O) with o(uj) = iff 
there is A such that 9 ==> A and o G Apply (T[y/x], A). 

So, suppose we have o G Apply (lu + a(x) .([x = y]r.T + w), 0) with o(u>) = 0. 

We show, by induction on (9|, that there exists A such that =^> A and 
o G Apply (T[y fx], A). Let T = uj + a(x).([x = y]r.T + uj), and suppose = 
Pi ■ + • • • + Pn • <5[s n ], f° r pairwise distincts state-based processes s\, . . . , s n , 
and suppose that z is an enumeration of the set fn(T', 0) — Q. Then 

Apply {T',0) = Y°( Pl ■ 6[uz(T'\ Sl )} + ... +p n • 5[vz{T'\s n )\). 

T 

From Definition 1, in order to have o(uj) = 0, it must be the case that vz(T'\sj) > 

for every j G {1, . . . , n}. From the definition of the operational semantics, there 
are exactly two cases where this might happen: 
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— For some i, s, > A for some distribution A. Let 0' = p\ ■ 5[s\] + . . . + p% ■ 

A+...+p n - 6[s n ]. Then we have 0' and vz{T'\0) vz(T'\0'). 
The latter means that o G Y n {vz(T'\0')) as well. By Lemma 26, we know 
that \A\ -< {|si|}, and therefore \0'\ ~< \0\. By the induction hypothesis, 

_L> e' M a 

and o G App/y f2 (T[y/a;],Z\). 

T 

— For every i G {1, . . . , n}, we have Si -f — > . This can only mean that the r 
transition from vz{T'\si) derives from a communiation between T" and Si. 
This means that J,s, for every i G {1, . . . , n}. We claim that, in fact, for 

ay 

every i, we have Si > 0i, for some 0i. For otherwise, we would have that 

r 

for some j, vz(T'\sj) > vz(([u = y]r.T[y /x] +uj) \ 0j), for some u distinct 

from y. But this means that only the w action is enabled in the test, so all 
results of Y°{vz(([u = y\T.T[y/x] + w) \ t )) in this case would have a non- 
zero co component, which would mean that o(w) would be non-zero as well, 

ay 

contradicting the assumption that o(oj) = 0. So, we have Si > 0i for every 

ay 

i e {1, . . . , n}. Let 0' = pi • 6»i + . . . + p n ■ n . Then we have > 0' 

and uz(T' \ 0) vz(T" \ 0') where T" = [y = y]T.T[y/x] + lu. The 

latter transition means that o G Y n (vz(T" \ &)) = Apply n (T",0'). We 
can therefore apply Claim 27 to get: 

0^0'^A 

and o G Apply n (T[y / x], A). 

□ 

Lemma 31. If o e Apply '(X)» e j T - T i, p ) then f or all i € I there are q { G [0, 1] 

and Ai with J^iei * = 1 such that l p \ ==* Hiei * 1 A awrf ° = Die/ % - °» / or 
some 0^ G Apply n (Ti, Ai). 

Proof. The proof is similar to the proof of Lemma 6.8 in [5]. □ 

The key to the completeness proof is to find a 'characteristic test' for every 
formula ip G C with a certain property. The construction of these characteristic 
tests is given in the following lemma. Note that unlike in the case of pCSP [5], 
this construction is parameterised by a finite set of names N, representing the 
set of free names of the process/distribution on which the test applies to. This 
parameter is important for the test to be able to detect output of fresh names. 

Lemma 32. For every finite set of names N and every ip G T such that fn((p) C 
N, there exists a test and v v G [0, l] n , such that 

A^ V iff 3o G Apply" (T <NtV) , A) :o<v v (28) 
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for every A with fn(A) C N, and in case <p E C we also have 

A^ V iff 3oeA PP ly n (T {NiVh A):o>v v . (29) 
T{N,<p) is called a characteristic test of <p> and v v its target value. 
Proof. The characteristic tests and target values are defined by induction on p: 

— ip — T: Let Tj n<v> \ := w for some to E ft and v v :— <2. 

— p = ref (X) with X = {/xi, ^„}. Let T v :— [ii.cu + ... + ii n .Lo for some 
u> E J?, and u v = 0. 

— <p = (ax)ip: Let T <JV;¥ ,) := to + a(y).([y = x]t.T {n ^ + uj) for some y g 
fn(T( N ^), where u E Q does not occur in T(N,ip) an d v <p '■— v il>- 

— (p — (a(x))ip: Let z — new(N) and N' — N U{z}. Without loss of generality, 
we can assume that x — z (since we consider terms equivalent modulo a- 
conversion). Then let Ti N ^\ := co+a(x).([x ^ N]t.T/ N i m +co), where io E fl 
does not occur in T/ N i^\ and v v := v^. 

— p = {a(x))ip: Let z = new(N) and N' = N U {z}. Let p w E (0, 1] for w E N' 
be chosen arbitrarily such that J2weN'Pw = 1- Then let 

T(N,<p) '■= @ Pw ■ K + aW.T^jv'^Iuj/a:])) 
tuG-/V' 

where does not occur in T/n'Mw/x]) f° r each w E N' , and 7^ ^102 if 
wi # w 2 . We let w v := ^2 weN ,p w ■ v^ [w / x] . 

— (p = /\ ieI <Pi where / is a finite and non-empty index set. Choose an fl- 
disjoint family (T/N tlp .\,v Vi )i & i of characteristic tests and target values. Let 
Pi E (0, 1] for i E I be chose arbitrarily such that ^2 ieI Pi = 1- Then let 

T (N, V ) : =0Pi - T (N, Vi ) 

iei 

and v v := J2ieiPi - 

— p ~ ®iciPi • V»- Choose an i?-disjoint family (Tj,Wj)j £ j of characteristic 
tests Tj with target values Vi for each yj i5 such that there are distinct success 
actions uji for i E I that do not occur in any of those tests. Let T[ := 7* 1 © 

and := + Note that for alii G 7 also T/ is a characteristic test of 
<Pi with target value v[. Let T(jv, v ) := E ie j T - T {N, Vl ) and u v := J^ieiPi ' 

We now prove (28) above by induction on p: 

— p = T: obvious. 

— 95 = ref(X). Suppose A \= p. Then there is a A with A Zi' and Z\' y x . 
By Lemma 30(2), G Apply n (T {Nilp) , A). 

Now suppose 3o E Apply n (T^ N ^ v y A) : o < v v . This means o = 0, so by 
Lemma 30(2) there is a Z\' with A Z\' and A y X - Hence 4^. 
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— ip — (ax)(f> : Suppose A \= <p. Then A A' and A' \= <fi. By the induction 
hypothesis, 3o G Apply n {T^ N ^,A') : o < v$. By Lemma 30(3), this means 
o G Apply n (u + a(y).([y = x]t.T( N ^ + u),A). Therefore, we have o G 
Apply Q (T( N ^),A) and o < v v . 

Conversely, suppose 3o G Apply < n '{Ti N >ip \, A) : o < v v . This implies o(uj) = 0. 

By Lemma 30(3), this means A =^> A' and o G Apply n (T {Nt4>} , A'). By the 
induction hypothesis, we have A' \= </>, and therefore, by Definition 7, A\= ip. 

— ip — (a(x))<j) : This is similar to the previous case. The only difference is that 
the guard [x ^ N] makes sure that it is the bound output transition that is 
enabled from A, so we use Lemma 30(4) in place of Lemma 30(3). 

— ip = (a(x))(f> : Suppose A \= <p. Then for every name w, there exist A\, A 2 
and A' such that: 

A=UA! ^A 2l A 2 [w/x]^>A', and A' \= <j>[w/x]. (30) 

In particular, (30) holds for any w G N', where N' = NL){new(N)}. By the 
induction hypothesis, 3o w G Apply n (T {N , ^ [w/x]} ) : o w < v {N ,^ [w/x]) , hence 
by Lemma 30(5), 

o w G Apply" (uj + aw.T {N ,^ [w/x]) ,A) 
for each w G N' . Then by Lemma 30(6), we have 

o€Apply a (T (NiV) ,A)) 
where o = J2 w eN> Pw o w < o v . 

Suppose 3o G Apply n (Ti N ^\, A) : o < v v . Then by Lemma 30(6), we have 
= YjweN'Pw ■ °w for some o w with 

o w G Apply" (uj + aw.T^ N i ^ w / x ^, 

A) 

The latter means, by Lemma 30(5), for each w G N', there are A±, A 2 and 
A' such that 

A =U A 1 ^% A 2 , A 2 [w/x]=Ua', (31) 

and 

o w G Apply n {T( N ,^ [w/x]) ,A'). (32) 
Since J2 w eN>P™ -o w = o<v v = Y^weN'P™ ' v <p[w/x], we have 

(33) 

for each w G N' . Otherwise, suppose o w (ui) > vm w / x -\{w) for some uj G fl. 
We would have o(u>) — p w ■ o w (uj) > p w ■ v^ w / x ](uj) — v v (w), a contradiction 
to o < v v . By (32), (33), and the induction hypothesis, we have 

A'\=<f>[w/x]. (34) 
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To show A \= ip, we need to show for every w, there exist A\, Z\ 2 and A' 
satisfying (31) and (34) above. We have shown this for w <E N' . For the case 
where w N', this is obtained from the case where x — z via the renaming 
[w/z]: Recall that z G' N, so z £ fn(A 2 ) and z G' fn{fa). Therefore, we have, 
from (31) and Lemma 1 (2), 

A 2 [z/x] [w/z] — A 2 [w/x] ==^> A' [w/z] 

and from (34) and Lemma 29, we have A' [w/z] |= <j)[w/x] — <p[z / 'x][w / z]. 
~ <P — Aiei Pi ■ Suppose A \= ip. Then A \= fa for all i £ I, and by the induc- 
tion hypothesis, Oj G Apply" (T^^a, A) : Oi < v Vi and by Lemma 30(6) 

■ 0i G A W /y fi (T W¥1> ,Zi) 

and J2ielPi • °» ^ YsielPi ■ V V, = V V 

Suppose 3o e Apply(T( N ^, A) : o < v v Then by Lemma 30(6), o = ^ ie jP»- 
Oi with 

o, G Apply(T {Ni<j>i) ,A) 

for each i 6 /. As in the last case, we see from ^2 ieI Pi • Oi < ^2 ieI Pi ■ v Vi 
that Oi < v Vi for each i E I. By induction, we have A \= fa, therefore, by 
Definition 7, A \= ip. 

- V = ©ie/Pi • <Pi '■ Suppose A \= ip. Then A J^ieiPi ' ^» and ^» H 
By the induction hypothesis, 

3o, G Apply" (T^A,) :o t <v l . 

Hence, there are o- G Apply" (T( , A) with o- < u-. Thus by Lemma 30(7), 

: = Eie/ft ' °j G Apply n (T {NiVh A), and o < u v . 

Conversely, suppose 3o 6 Apply (T/ Nflp \, A) : o < v v . Then by Lemma 31, 

there are g, and Z\j, for all i G /, such that 5Z igJ <Zi = 1 and Z\ Eie/ % ' 
Ai and o = % -o- for some o- G Apply" (T!, Ai). Now o-(wj) = u-(o>») = 

1 for each « G /. Using that (Ti) ie i is an i?-disjoint family of tests, = 
qio'i(ui) = o(u t ) < v v (ui) = Piv'i(ui) = \pi. As £ iGJ % = £ ie/ Pi = : > 
it must be that qi = pi for all i G /. Exactly as in the previous case we 
obtain o\ < v[ for all i G /. Given that T/ = Tj i©u;j, using Lemma 30(6), 

it must be that o' = \oi + \uSi for some Oi G Apply n {Ti, Ai) with Oj < Uj. 
By induction, /A; |= 0; for all i G /, Therefore, by Definition 7, Zi |= <p. 

In case ip E £, the formula cannot be of the form ref(X). Then it is easy 
to show that J2uen v <p( w ) = 1 and f° r au ^ and S Apply" '(T v , A) we have 
Et«ef2 °( CJ ) = 1- Therefore, o < v v iff o > v v iff o = v v , yielding (29). □ 

Completeness of ^p may and Qp must , and hence also Q pma y and Q pmus t by The- 
orem 3 and Theorem 1, follows from Lemma 32. 

Theorem 4. 1. If P C?? Q then P C £ Q. 
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2. IfP^ must QthenPQ^Q. 

Proof. Suppose P Q pmay Q and [P] |= ip for some ip G C. Let N — fn(P, ip) and 
let 7 1 ( JV ,v>) be a characteristic test of ^ with target value v$. Then by Lemma 32, 
we have 

3o G Apply" (T (N ^), \P\) : o > v t . 

But since P ^ pmay Q, this means 3d G Apply n (T( N ^, \Q\) : o < o' , and thus 
d >v^. So again, by Lemma 32, we have [Q] |= ip. 

The case for must preorder is similar, using the Smyth preorder. □ 

Theorem 5. 1. If P ^ pmay Q then P C s Q. 
2. If P ^ pmus t Q then P C F5 Q. 

8 Related and future work 

There have been a number of previous works on probabilistic extensions of the n- 
calculus by Palamidcssi ct. al. [12, 2, 17]. One distinction between our formulation 
with that of Palamidessi et. al. is the fact that we consider an interpretation of 
probabilistic summation as distribution over state-based processes, whereas in 
those works, a process like s p Q)t is considered as a proper process, which can 
evolve into the distribution p ■ 8{s] + (1 — p) ■ S[t] via an internal transition. We 
could encode this behaviour by a simple prefixing with the r prefix. It would 
be interesting to see whether similar characterisations could be obtained for 
this restricted calculus. As far as we know, there are no existing works in the 
literature that give characterisations of the may- and must-testing preorders for 
the probabilistic 7r-calculus. 

We structure our completeness proofs for the simulation preorders along the 
line of the proofs of similar characterisations of simulation preorders for pCSP [7, 
5]. The name-passing feature of the 7r-calculus, however, gives rise to several com- 
plications not encountered in pCSP, and requires new techniques to deal with. 
In particular, due to the possibility of scope extrusion and close communication, 
the congruence properties of (failure) simulation is proved using an adaptation 
of the up-to techniques [19]. 

The immediate future work is to consider replication/recursion. There is a 
well-known problem with handling possible divergence; some ideas developed in 
[6, 1] might be useful for studying the semantics of ir p as well. 

Acknowledgment The second author is supported by the Australian Research 
Council Discovery Project DP110103173. Part of this work was done when the 
second author was visiting NICTA Kensington Lab in 2009; he would like to 
thank NICTA for the support he received during his visit. 

References 

1. M. Boreale and R. D. Nicola. Testing equivalence for mobile processes. Inf. Corn- 
put, 120(2):279-303, 1995. 



33 



2. K. Chatzikokolakis and C. Palamidessi. A framework for analyzing probabilistic 
protocols and its application to the partial secrets exchange. Theor. Comput. Sci., 
389(3):512-527, 2007. 

3. R. De Nicola and M. Hennessy. Testing equivalences for processes. Theor. Comput. 
Set., 34:83-133, 1984. 

4. Y. Deng, R. van Glabbeek, C. Morgan, and C. Zhang. Scalar outcomes suffice 
for finitary probabilistic testing. In ESOP, volume 4421 of LNCS, pages 363-378. 
Springer, 2007. 

5. Y. Deng, R. J. van Glabbeek, M. Hennessy, and C. Morgan. Characterising testing 
preorders for finite probabilistic processes. Logical Methods in Computer Science, 
4(4), 2008. 

6. Y. Deng, R. J. van Glabbeek, M. Hennessy, and C. Morgan. Testing finitary prob- 
abilistic processes. In CONCUR, volume 5710 of LNCS, pages 274-288. Springer, 
2009. 

7. Y. Deng, R. J. van Glabbeek, M. Hennessy, C. Morgan, and C. Zhang. Remarks 
on testing probabilistic processes. ENTCS, 172:359-397, 2007. 

8. G. L. Ferrari, U. Montanari, and P. Quaglia. The weak late pi-calculus semantics as 
observation equivalence. In CONCUR, volume 962 of Lecture Notes in Computer 
Science, pages 57-71. Springer, 1995. 

9. H. Hansson and B. Jonsson. A calculus for communicating systems with time and 
probabitilies. In IEEE Real-Time Systems Symposium, pages 278-287, 1990. 

10. M. Hennessy. Powerdomains and nondctcrministic recursive definitions. In Sym- 
posium on Programming, volume 137 of LNCS, pages 178-193. Springer, 1982. 

11. M. Hennessy. Algebraic Theory of Processes. MIT Press, 1988. 

12. O. M. Herescu and C. Palamidessi. Probabilistic asynchronous pi-calculus. In 
FoSSaCS, volume 1784 of LNCS, pages 146-160. Springer, 2000. 

13. C. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985. 

14. A. Ingolfsdottir. Late and early semantics coincide for testing. Theor. Comput. 
Sci., 146(l&2):341-349, 1995. 

15. R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes, II. Inf. 
Comput., 100(l):41-77, 1992. 

16. R. Milner, J. Parrow, and D. Walker. Modal logics for mobile processes. Theor. 
Comput. Set., 114(1):149-171, 1993. 

17. G. Norman, C. Palamidessi, D. Parker, and P. Wu. Model checking probabilistic 
and stochastic extensions of the pi-calculus. IEEE Trans. Software Eng., 35(2):209- 
223, 2009. 

18. D. Sangiorgi. Bisimulation for higher-order process calculi. Inf. Comput., 
131(2):141-178, 1996. 

19. D. Sangiorgi. On the bisimulation proof method. Mathematical Structures in 
Computer Science, 8(5):447-479, 1998. 

20. D. Sangiorgi and D. Walker. -K-Calculus: A Theory of Mobile Processes. Cambridge 
University Press, 2001. 

21. R. Segala and N. A. Lynch. Probabilistic simulations for probabilistic processes. 
In CONCUR, volume 836 of LNCS, pages 481-496. Springer, 1994. 

22. R. J. van Glabbeek, S. A. Smolka, and B. Steffen. Reactive, generative and strat- 
ified models of probabilistic processes. Inf. Comput, 121(l):59-80, 1995. 

23. R. J. van Glabbeek and W. P. Weijland. Branching time and abstraction in bisim- 
ulation semantics. J. ACM, 43(3):555-600, 1996. 

24. W. Yi and K. G. Larsen. Testing probabilistic and nondeterministic processes. In 
PS TV, volume C-8 of IFIP Transactions, pages 47-61. North-Holland, 1992. 



34 



